<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-US">
<head>
<!-- GenHTML revision 25226-->
<meta http-equiv="Content-type" content="text/html; charset=utf-8">
<title>Establishing a Secure Connection Using SSL - The Java EE 6 Tutorial</title>
<meta name="robots" content="index,follow">
<meta name="robots" content="index,follow">
<meta name="date" content="2011-03-01">
<link rel="stylesheet" type="text/css" href="css/default.css">
<link rel="stylesheet" type="text/css" href="css/ipg.css">
<link rel="stylesheet" type="text/css" href="css/javaeetutorial.css">
</head>

<body>

<table border="0" cellpadding="5" cellspacing="0" width="100%">
<tbody>
   <tr valign="top">
      <td width="400px"><p class="toc level1"><a href="docinfo.html">Document Information</a></p>
<p class="toc level1 tocsp"><a href="gexaf.html">Preface</a></p>
<p class="toc level1 tocsp"><a href="gfirp.html">Part&nbsp;I&nbsp;Introduction</a></p>
<p class="toc level2"><a href="bnaaw.html">1.&nbsp;&nbsp;Overview</a></p>
<p class="toc level2"><a href="gfiud.html">2.&nbsp;&nbsp;Using the Tutorial Examples</a></p>
<p class="toc level1 tocsp"><a href="bnadp.html">Part&nbsp;II&nbsp;The Web Tier</a></p>
<p class="toc level2"><a href="bnadr.html">3.&nbsp;&nbsp;Getting Started with Web Applications</a></p>
<p class="toc level2"><a href="bnaph.html">4.&nbsp;&nbsp;JavaServer Faces Technology</a></p>
<p class="toc level2"><a href="giepx.html">5.&nbsp;&nbsp;Introduction to Facelets</a></p>
<p class="toc level2"><a href="gjddd.html">6.&nbsp;&nbsp;Expression Language</a></p>
<p class="toc level2"><a href="bnaqz.html">7.&nbsp;&nbsp;Using JavaServer Faces Technology in Web Pages</a></p>
<p class="toc level2"><a href="gjcut.html">8.&nbsp;&nbsp;Using Converters, Listeners, and Validators</a></p>
<p class="toc level2"><a href="bnatx.html">9.&nbsp;&nbsp;Developing with JavaServer Faces Technology</a></p>
<p class="toc level2"><a href="gkmaa.html">10.&nbsp;&nbsp;JavaServer Faces Technology Advanced Concepts</a></p>
<p class="toc level2"><a href="bnawo.html">11.&nbsp;&nbsp;Configuring JavaServer Faces Applications</a></p>
<p class="toc level2"><a href="gkiow.html">12.&nbsp;&nbsp;Using Ajax with JavaServer Faces Technology</a></p>
<p class="toc level2"><a href="gkhxa.html">13.&nbsp;&nbsp;Advanced Composite Components</a></p>
<p class="toc level2"><a href="bnavg.html">14.&nbsp;&nbsp;Creating Custom UI Components</a></p>
<p class="toc level2"><a href="bnafd.html">15.&nbsp;&nbsp;Java Servlet Technology</a></p>
<p class="toc level2"><a href="bnaxu.html">16.&nbsp;&nbsp;Internationalizing and Localizing Web Applications</a></p>
<p class="toc level1 tocsp"><a href="bnayk.html">Part&nbsp;III&nbsp;Web Services</a></p>
<p class="toc level2"><a href="gijti.html">17.&nbsp;&nbsp;Introduction to Web Services</a></p>
<p class="toc level2"><a href="bnayl.html">18.&nbsp;&nbsp;Building Web Services with JAX-WS</a></p>
<p class="toc level2"><a href="giepu.html">19.&nbsp;&nbsp;Building RESTful Web Services with JAX-RS</a></p>
<p class="toc level2"><a href="gjjxe.html">20.&nbsp;&nbsp;Advanced JAX-RS Features</a></p>
<p class="toc level2"><a href="gkojl.html">21.&nbsp;&nbsp;Running the Advanced JAX-RS Example Application</a></p>
<p class="toc level1 tocsp"><a href="bnblr.html">Part&nbsp;IV&nbsp;Enterprise Beans</a></p>
<p class="toc level2"><a href="gijsz.html">22.&nbsp;&nbsp;Enterprise Beans</a></p>
<p class="toc level2"><a href="gijre.html">23.&nbsp;&nbsp;Getting Started with Enterprise Beans</a></p>
<p class="toc level2"><a href="gijrb.html">24.&nbsp;&nbsp;Running the Enterprise Bean Examples</a></p>
<p class="toc level2"><a href="bnbpk.html">25.&nbsp;&nbsp;A Message-Driven Bean Example</a></p>
<p class="toc level2"><a href="gkcqz.html">26.&nbsp;&nbsp;Using the Embedded Enterprise Bean Container</a></p>
<p class="toc level2"><a href="gkidz.html">27.&nbsp;&nbsp;Using Asynchronous Method Invocation in Session Beans</a></p>
<p class="toc level1 tocsp"><a href="gjbnr.html">Part&nbsp;V&nbsp;Contexts and Dependency Injection for the Java EE Platform</a></p>
<p class="toc level2"><a href="giwhb.html">28.&nbsp;&nbsp;Introduction to Contexts and Dependency Injection for the Java EE Platform</a></p>
<p class="toc level2"><a href="gjbls.html">29.&nbsp;&nbsp;Running the Basic Contexts and Dependency Injection Examples</a></p>
<p class="toc level2"><a href="gjehi.html">30.&nbsp;&nbsp;Contexts and Dependency Injection for the Java EE Platform: Advanced Topics</a></p>
<p class="toc level2"><a href="gkhre.html">31.&nbsp;&nbsp;Running the Advanced Contexts and Dependency Injection Examples</a></p>
<p class="toc level1 tocsp"><a href="bnbpy.html">Part&nbsp;VI&nbsp;Persistence</a></p>
<p class="toc level2"><a href="bnbpz.html">32.&nbsp;&nbsp;Introduction to the Java Persistence API</a></p>
<p class="toc level2"><a href="gijst.html">33.&nbsp;&nbsp;Running the Persistence Examples</a></p>
<p class="toc level2"><a href="bnbtg.html">34.&nbsp;&nbsp;The Java Persistence Query Language</a></p>
<p class="toc level2"><a href="gjitv.html">35.&nbsp;&nbsp;Using the Criteria API to Create Queries</a></p>
<p class="toc level2"><a href="gkjiq.html">36.&nbsp;&nbsp;Creating and Using String-Based Criteria Queries</a></p>
<p class="toc level2"><a href="gkjjf.html">37.&nbsp;&nbsp;Controlling Concurrent Access to Entity Data with Locking</a></p>
<p class="toc level2"><a href="gkjia.html">38.&nbsp;&nbsp;Improving the Performance of Java Persistence API Applications By Setting a Second-Level Cache</a></p>
<p class="toc level1 tocsp"><a href="gijrp.html">Part&nbsp;VII&nbsp;Security</a></p>
<p class="toc level2"><a href="bnbwj.html">39.&nbsp;&nbsp;Introduction to Security in the Java EE Platform</a></p>
<p class="toc level3"><a href="bnbwk.html">Overview of Java EE Security</a></p>
<p class="toc level4"><a href="bnbwk.html#bnbwl">A Simple Application Security Walkthrough</a></p>
<p class="toc level5"><a href="bnbwk.html#bnbwm">Step 1: Initial Request</a></p>
<p class="toc level5"><a href="bnbwk.html#bnbwo">Step 2: Initial Authentication</a></p>
<p class="toc level5"><a href="bnbwk.html#bnbwq">Step 3: URL Authorization</a></p>
<p class="toc level5"><a href="bnbwk.html#bnbws">Step 4: Fulfilling the Original Request</a></p>
<p class="toc level5"><a href="bnbwk.html#bnbwu">Step 5: Invoking Enterprise Bean Business Methods</a></p>
<p class="toc level4 tocsp"><a href="bnbwk.html#bnbww">Features of a Security Mechanism</a></p>
<p class="toc level4"><a href="bnbwk.html#bnbwx">Characteristics of Application Security</a></p>
<p class="toc level3 tocsp"><a href="bnbwy.html">Security Mechanisms</a></p>
<p class="toc level4"><a href="bnbwy.html#bnbwz">Java SE Security Mechanisms</a></p>
<p class="toc level4"><a href="bnbwy.html#bnbxa">Java EE Security Mechanisms</a></p>
<p class="toc level5"><a href="bnbwy.html#bnbxb">Application-Layer Security</a></p>
<p class="toc level5"><a href="bnbwy.html#bnbxc">Transport-Layer Security</a></p>
<p class="toc level5"><a href="bnbwy.html#bnbxd">Message-Layer Security</a></p>
<p class="toc level3 tocsp"><a href="bnbxe.html">Securing Containers</a></p>
<p class="toc level4"><a href="bnbxe.html#bnbxg">Using Annotations to Specify Security Information</a></p>
<p class="toc level4"><a href="bnbxe.html#bnbxf">Using Deployment Descriptors for Declarative Security</a></p>
<p class="toc level4"><a href="bnbxe.html#bnbxh">Using Programmatic Security</a></p>
<p class="toc level3 tocsp"><a href="bnbxi.html">Securing the GlassFish Server</a></p>
<p class="toc level3"><a href="bnbxj.html">Working with Realms, Users, Groups, and Roles</a></p>
<p class="toc level4"><a href="bnbxj.html#bnbxk">What Are Realms, Users, Groups, and Roles?</a></p>
<p class="toc level5"><a href="bnbxj.html#bnbxm">What Is a Realm?</a></p>
<p class="toc level5"><a href="bnbxj.html#bnbxn">What Is a User?</a></p>
<p class="toc level5"><a href="bnbxj.html#bnbxo">What Is a Group?</a></p>
<p class="toc level5"><a href="bnbxj.html#bnbxp">What Is a Role?</a></p>
<p class="toc level5"><a href="bnbxj.html#bnbxq">Some Other Terminology</a></p>
<p class="toc level4 tocsp"><a href="bnbxj.html#bnbxr">Managing Users and Groups on the GlassFish Server</a></p>
<p class="toc level5"><a href="bnbxj.html#bnbxs">To Add Users to the GlassFish Server</a></p>
<p class="toc level5"><a href="bnbxj.html#bnbxt">Adding Users to the Certificate Realm</a></p>
<p class="toc level4 tocsp"><a href="bnbxj.html#bnbxu">Setting Up Security Roles</a></p>
<p class="toc level4"><a href="bnbxj.html#bnbxv">Mapping Roles to Users and Groups</a></p>
<div id="scrolltoc" class="onpage">
<p class="toc level3 tocsp"><a href="">Establishing a Secure Connection Using SSL</a></p>
<p class="toc level4"><a href="#bnbxx">Verifying and Configuring SSL Support</a></p>
<p class="toc level4"><a href="#bnbyb">Working with Digital Certificates</a></p>
<p class="toc level5"><a href="#bnbyc">Creating a Server Certificate</a></p>
</div>
<p class="toc level3 tocsp"><a href="bnbyj.html">Further Information about Security</a></p>
<p class="toc level2 tocsp"><a href="bncas.html">40.&nbsp;&nbsp;Getting Started Securing Web Applications</a></p>
<p class="toc level2"><a href="bnbyk.html">41.&nbsp;&nbsp;Getting Started Securing Enterprise Applications</a></p>
<p class="toc level1 tocsp"><a href="gijue.html">Part&nbsp;VIII&nbsp;Java EE Supporting Technologies</a></p>
<p class="toc level2"><a href="gijto.html">42.&nbsp;&nbsp;Introduction to Java EE Supporting Technologies</a></p>
<p class="toc level2"><a href="bncih.html">43.&nbsp;&nbsp;Transactions</a></p>
<p class="toc level2"><a href="bncjh.html">44.&nbsp;&nbsp;Resource Connections</a></p>
<p class="toc level2"><a href="bncdq.html">45.&nbsp;&nbsp;Java Message Service Concepts</a></p>
<p class="toc level2"><a href="bncgv.html">46.&nbsp;&nbsp;Java Message Service Examples</a></p>
<p class="toc level2"><a href="gkahp.html">47.&nbsp;&nbsp;Advanced Bean Validation Concepts and Examples</a></p>
<p class="toc level2"><a href="gkeed.html">48.&nbsp;&nbsp;Using Java EE Interceptors</a></p>
<p class="toc level1 tocsp"><a href="gkgjw.html">Part&nbsp;IX&nbsp;Case Studies</a></p>
<p class="toc level2"><a href="gkaee.html">49.&nbsp;&nbsp;Duke's Tutoring Case Study Example</a></p>
<p class="toc level1 tocsp"><a href="idx-1.html">Index</a></p>
</td>
      <td width="10px">&nbsp;</td>
      <td>
         <div class="header">
             <div class="banner">
                <table width="100%" border="0" cellpadding="5" cellspacing="0">
                   <tbody>
                      <tr>
                         <td valign="bottom"><p class="Banner">The Java EE 6 Tutorial
</p></td>
                         <td align="right"  valign="bottom"><img src="graphics/javalogo.png" alt="Java Coffee Cup logo"></td>
                      </tr>
                   </tbody>
                </table>
             </div>

             <div class="header-links">
	         <a href="./index.html">Home</a> | 
<a href="../information/download.html">Download</a> | 
<a href="./javaeetutorial6.pdf">PDF</a> | 
<a href="../information/faq.html">FAQ</a> | 
<a href="http://download.oracle.com/javaee/feedback.htm">Feedback</a>

             </div>
             <div class="navigation">
                 <a href="bnbxj.html"><img src="graphics/leftButton.gif" border="0" alt="Previous" title="Previous"></a>
                 <a href="p1.html"><img src="graphics/upButton.gif" border="0" alt="Contents" title="Contents"></a>
                 <a href="bnbyj.html"><img src="graphics/rightButton.gif" border="0" alt="Next" title="Next"></a>
             </div>
         </div>

	 <div class="maincontent">      	 
             

<a name="bnbxw"></a><h2>Establishing a Secure Connection Using SSL</h2>
<a name="indexterm-1995"></a><a name="indexterm-1996"></a><a name="indexterm-1997"></a><a name="indexterm-1998"></a><a name="indexterm-1999"></a><a name="indexterm-2000"></a><p><b>Secure Socket Layer</b> (SSL) technology is security that is implemented at the transport layer (see
<a href="bnbwy.html#bnbxc">Transport-Layer Security</a> for more information about transport-layer security). SSL allows web browsers and web
servers to communicate over a secure connection. In this secure connection, the data
is encrypted before being sent and then is decrypted upon receipt and before
processing. Both the browser and the server encrypt all traffic before sending any
data.</p>

<p>SSL addresses the following important security considerations:</p>


<ul><li><p><a name="indexterm-2001"></a><b>Authentication</b>: During your initial attempt to communicate with a web server over a secure connection, that server will present your web browser with a set of credentials in the form of a server certificate. The purpose of the certificate is to verify that the site is who and what it claims to be. In some cases, the server may request a certificate proving that the client is who and what it claims to be; this mechanism is known as client authentication.</p>

</li>
<li><p><a name="indexterm-2002"></a><b>Confidentiality</b>: When data is being passed between the client and the server on a network, third parties can view and intercept this data. SSL responses are encrypted so that the data cannot be deciphered by the third party and the data remains confidential.</p>

</li>
<li><p><a name="indexterm-2003"></a><b>Integrity</b>: When data is being passed between the client and the server on a network, third parties can view and intercept this data. SSL helps guarantee that the data will not be modified in transit by that third party.</p>

</li></ul>
<p>The SSL protocol is designed to be as efficient as securely possible. However,
encryption and decryption are computationally expensive processes from a performance standpoint. It is
not strictly necessary to run an entire web application over SSL, and it
is customary for a developer to decide which pages require a secure connection
and which do not. Pages that might require a secure connection include those
for login, personal information, shopping cart checkouts, or credit card information transmittal. Any
page within an application can be requested over a secure socket by simply
prefixing the address with <tt>https:</tt> instead of <tt>http:</tt>. Any pages that absolutely require a
secure connection should check the protocol type associated with the page request and
take the appropriate action if <tt>https:</tt> is not specified.</p>

<p><a name="indexterm-2004"></a>Using name-based virtual hosts on a secured connection can be problematic. This is
a design limitation of the SSL protocol itself. The <b>SSL handshake</b>, whereby the
client browser accepts the server certificate, must occur before the HTTP request is
accessed. As a result, the request information containing the virtual host name cannot
be determined before authentication, and it is therefore not possible to assign multiple
certificates to a single IP address. If all virtual hosts on a single
IP address need to authenticate against the same certificate, the addition of multiple
virtual hosts should not interfere with normal SSL operations on the server. Be
aware, however, that most client browsers will compare the server&rsquo;s domain name against the
domain name listed in the certificate, if any; this is applicable primarily to
official certificates signed by a certificate authority (CA). If the domain names do
not match, these browsers will display a warning to the client. In general,
only address-based virtual hosts are commonly used with SSL in a production environment.</p>



<a name="bnbxx"></a><h3>Verifying and Configuring SSL Support</h3>
<p>As a general rule, you must address the following issues to enable
SSL for a server:</p>


<ul><li><p>There must be a <tt>Connector</tt> element for an SSL connector in the server deployment descriptor.</p>

</li>
<li><p>There must be valid keystore and certificate files.</p>

</li>
<li><p>The location of the keystore file and its password must be specified in the server deployment descriptor.</p>

</li></ul>
<p><a name="indexterm-2005"></a><a name="indexterm-2006"></a>An SSL HTTPS connector is already enabled in the GlassFish Server.</p>

<p><a name="indexterm-2007"></a><a name="indexterm-2008"></a>For testing purposes and to verify that SSL support has been correctly installed,
load the default introduction page with a URL that connects to the port
defined in the server deployment descriptor:</p>

<pre>https://localhost:8181/</pre><p>The <tt>https</tt> in this URL indicates that the browser should be using the
SSL protocol. The <tt>localhost</tt> in this example assumes that you are running the
example on your local machine as part of the development process. The <tt>8181</tt>
in this example is the secure port that was specified where the SSL
connector was created. If you are using a different server or port, modify
this value accordingly.</p>

<p>The first time that you load this application, the New Site Certificate or
Security Alert dialog box appears. Select Next to move through the series of
dialog boxes, and select Finish when you reach the last dialog box.
The certificates will display only the first time. When you accept the certificates, subsequent
hits to this site assume that you still trust the content.</p>



<a name="bnbyb"></a><h3>Working with Digital Certificates</h3>
<a name="indexterm-2009"></a><a name="indexterm-2010"></a><a name="indexterm-2011"></a><a name="indexterm-2012"></a><p>Digital certificates for the GlassFish Server have already been generated and can be
found in the directory  <tt></tt><i>as-install</i><tt>/</tt><i>domain-dir</i><tt>/config/</tt>. These digital certificates are self-signed and are
intended for use in a development environment; they are not intended for production
purposes. For production purposes, generate your own certificates and have them signed by
a CA.</p>

<p>To use SSL, an application or web server must have an associated
certificate for each external interface, or IP address, that accepts secure connections. The theory
behind this design is that a server should provide some kind of reasonable
assurance that its owner is who you think it is, particularly before receiving
any sensitive information. It may be useful to think of a certificate as
a &ldquo;digital driver&rsquo;s license&rdquo; for an Internet address. The certificate states with which
company the site is associated, along with some basic contact information about the
site owner or administrator.</p>

<p><a name="indexterm-2013"></a>The digital certificate is cryptographically signed by its owner and is difficult for anyone
else to forge. For sites involved in e-commerce or in any other business
transaction in which authentication of identity is important, a certificate can be purchased
from a well-known CA such as VeriSign or Thawte. If your server certificate
is self-signed, you must install it in the GlassFish Server keystore file (<tt>keystore.jks</tt>).
If your client certificate is self-signed, you should install it in the GlassFish
Server truststore file (<tt>cacerts.jks</tt>).</p>

<p>Sometimes, authentication is not really a concern. For example, an administrator might simply
want to ensure that data being transmitted and received by the server is
private and cannot be snooped by anyone eavesdropping on the connection. In such
cases, you can save the time and expense involved in obtaining a
CA certificate and simply use a self-signed certificate.</p>

<p><a name="indexterm-2014"></a><a name="indexterm-2015"></a><a name="indexterm-2016"></a><a name="indexterm-2017"></a>SSL uses <b>public-key cryptography</b>, which is based on <b>key pairs</b>. Key pairs contain one public key
and one private key. Data encrypted with one key can be decrypted
only with the other key of the pair. This property is fundamental to
establishing trust and privacy in transactions. For example, using SSL, the server computes a
value and encrypts it by using its private key. The encrypted value
is called a <b>digital signature</b>. The client decrypts the encrypted value by using the server&rsquo;s
public key and compares the value to its own computed value. If the
two values match, the client can trust that the signature is authentic, because
only the private key could have been used to produce such a signature.</p>

<p><a name="indexterm-2018"></a>Digital certificates are used with HTTPS to authenticate web clients. The HTTPS service
of most web servers will not run unless a digital certificate has been
installed. Use the procedure outlined in the next section, <a href="#bnbyc">Creating a Server Certificate</a>, to set up
a digital certificate that can be used by your application or web server
to enable SSL.</p>

<p><a name="indexterm-2019"></a><a name="indexterm-2020"></a><a name="indexterm-2021"></a><a name="indexterm-2022"></a>One tool that can be used to set up a digital certificate
is <tt>keytool</tt>, a key and certificate management utility that ships with the JDK.
This tool enables users to administer their own public/private key pairs and associated
certificates for use in self-authentication, whereby the user authenticates himself or herself to
other users or services, or data integrity and authentication services, using digital signatures.
The tool also allows users to cache the public keys, in the form
of certificates, of their communicating peers. For a better understanding of <tt>keytool</tt> and public-key
cryptography, see the <tt>keytool</tt> documentation at <a href="http://download.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html">http://download.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html</a>.</p>



<a name="bnbyc"></a><h4>Creating a Server Certificate</h4>
<a name="indexterm-2023"></a><p>A server certificate has already been created for the GlassFish Server and can
be found in the <tt></tt><i>domain-dir</i><tt>/config/</tt> directory. The server certificate is in <tt>keystore.jks</tt>. The
<tt>cacerts.jks</tt> file contains all the trusted certificates, including client certificates.</p>

<p><a name="indexterm-2024"></a>If necessary, you can use <tt>keytool</tt> to generate certificates. The <tt>keytool</tt> utility stores
the keys and certificates in a file termed a <b>keystore</b>, a repository
of certificates used for identifying a client or a server. Typically, a keystore
is a file that contains one client&rsquo;s or one server&rsquo;s identity. The keystore
protects private keys by using a password.</p>

<p>If you don&rsquo;t specify a directory when specifying the keystore file name, the
keystores are created in the directory from which the <tt>keytool</tt> command is
run. This can be the directory where the application resides, or it can
be a directory common to many applications.</p>

<p>The general steps for creating a server certificate are as follows.</p>


<ol><li><p>Create the keystore.</p>

</li>
<li><p>Export the certificate from the keystore.</p>

</li>
<li><p>Sign the certificate.</p>

</li>
<li><p><a name="indexterm-2025"></a>Import the certificate into a <b>truststore:</b> a repository of certificates used for verifying the certificates. A truststore typically contains more than one certificate.</p>

</li></ol>
<p><a href="#gjrgy">To Use <tt>keytool</tt> to Create a Server Certificate</a> provides specific information on using the <tt>keytool</tt> utility to perform these steps.</p>



<a name="gjrgy"></a><h4>To Use <tt>keytool</tt> to Create a Server Certificate</h4>
<p>Run <tt>keytool</tt> to generate a new key pair in the default development keystore
file, <tt>keystore.jks</tt>. This example uses the alias <tt>server-alias</tt> to generate a new public/private key
pair and wrap the public key into a self-signed certificate inside <tt>keystore.jks</tt>.
The key pair is generated by using an algorithm of type RSA, with
a default password of <tt>changeit</tt>. For more information and other examples of creating
and managing keystore files, read the <tt>keytool</tt> online help at <a href="http://download.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html">http://download.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html</a>.</p>


<hr><p><b>Note - </b>RSA is public-key encryption technology developed by RSA Data Security, Inc.</p>


<hr>
<p>From the directory in which you want to create the key pair,
run <tt>keytool</tt> as shown in the following steps.</p>

<ol>
<li><b>Generate the server certificate.</b><p>Type the <tt>keytool</tt> command all on one line:</p><pre><tt><b></tt><i>java-home</i><tt>/bin/keytool -genkey -alias server-alias -keyalg RSA -keypass changeit</b></tt>
<tt><b>-storepass changeit -keystore keystore.jks</b></tt></pre><p>When you press Enter, <tt>keytool</tt> prompts you to enter the server name, organizational
unit, organization, locality, state, and country code.</p><p>You must type the server name in response to <tt>keytool</tt>&rsquo;s first prompt, in
which it asks for first and last names. For testing purposes, this can
be <tt>localhost</tt>.</p><p>When you run the example applications, the host (server name) specified in the
keystore must match the host identified in the <tt>javaee.server.name</tt> property specified in
the file <tt></tt><i>tut-install</i><tt>/examples/bp-project/build.properties</tt> (by default, this is <tt>localhost</tt>).</p></li>
<li><b>Export the generated server certificate in <tt>keystore.jks</tt> into the file <tt>server.cer</tt>.</b><p>Type the <tt>keytool</tt> command all on one line:</p><pre><tt><b></tt><i>java-home</i><tt>/bin/keytool -export -alias server-alias -storepass changeit</b></tt>
<tt><b>-file server.cer -keystore keystore.jks</b></tt></pre></li>
<li><b>If you want to have the certificate signed by a CA, read
the example at <a href="http://download.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html">http://download.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html</a>. </b></li>
<li><b>To add the server certificate to the truststore file, <tt>cacerts.jks</tt>, run <tt>keytool</tt>
from the directory where you created the keystore and server certificate.</b><p>Use the following parameters:</p><pre><tt><b></tt><i>java-home</i><tt>/bin/keytool -import -v -trustcacerts -alias server-alias</b></tt>
<tt><b>-file server.cer -keystore cacerts.jks -keypass changeit -storepass changeit</b></tt></pre><p>Information on the certificate, such as that shown next, will appear:</p><pre>Owner: CN=localhost, OU=Sun Micro, O=Docs, L=Santa Clara, ST=CA, 
C=USIssuer: CN=localhost, OU=Sun Micro, O=Docs, L=Santa Clara, ST=CA, 
C=USSerial number: 3e932169Valid from: Tue Apr 08Certificate 
fingerprints:MD5: 52:9F:49:68:ED:78:6F:39:87:F3:98:B3:6A:6B:0F:90 SHA1: 
EE:2E:2A:A6:9E:03:9A:3A:1C:17:4A:28:5E:97:20:78:3F:
Trust this certificate? [no]:</pre></li>
<li><b>Type <tt><b>yes</b></tt>, then press the <tt><b>Enter</b></tt> or <tt><b>Return</b></tt> key.</b><p>The following information appears:</p><pre>Certificate was added to keystore[Saving cacerts.jks]</pre></li></ol>
         </div>
         <div class="navigation">
             <a href="bnbxj.html"><img src="graphics/leftButton.gif" border="0" alt="Previous" title="Previous"></a>
             <a href="p1.html"><img src="graphics/upButton.gif" border="0" alt="Contents" title="Contents"></a>
             <a href="bnbyj.html"><img src="graphics/rightButton.gif" border="0" alt="Next" title="Next"></a>
         </div>

         <div class="copyright">
      	    <p>Copyright &copy; 2011, Oracle and/or its affiliates. All rights reserved. <a href="docinfo.html">Legal Notices</a></p>
      	 </div>

      </td>
   </tr>
</tbody>
</table>
</body>
</html>

